[Unbound-users] Compile ldns 1.6.16/unbound 1.4.19 on Solaris 10.
Simon-Bernard Drolet
simon.bernard.drolet at gmail.com
Fri Jan 11 03:41:48 UTC 2013
HI again,
Sorry to get back at this... I wrongly said it was all ok...
I did the change, recompile, and got it working, but on Solaris 11...
Not 10...
So on Solaris 11, with these options :
./configure --prefix=/opt/unbound --disable-gost --disable-sha2
--disable-ecdsa
and the fixed #ifdefs in dane.c. It works... (Compiles, run, all ok)_.
But on Solaris 10, with the same options to configure, I get an error
for X509_check_ca used in dane.c :
./libtool --tag=CC --quiet --mode=compile cc -I. -I. -DHAVE_CONFIG_H -O2
-g -xc99 -D__EXTENSIONS__ -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112
-D_XOPEN_SOURCE=600 -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
"./dane.c", line 295: warning: implicit function declaration: X509_check_ca
and at the end:
./libtool --tag=CC --quiet --mode=link cc -O2 -g -xc99 -D__EXTENSIONS__
-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
-D_ALL_SOURCE -lnsl -lsocket -version-number 1:6:16 -no-undefined
-L/usr/sfw/lib -lcrypto -export-symbols-regex
'^(ldns_|b32_[pn]to[pn]|mktime_from_utc|qsort_rr_compare_nsec3)' -o
libldns.la buffer.lo dane.lo dname.lo dnssec.lo dnssec_sign.lo
dnssec_verify.lo dnssec_zone.lo duration.lo error.lo higher.lo
host2str.lo host2wire.lo keys.lo net.lo packet.lo parse.lo rbtree.lo
rdata.lo resolver.lo rr.lo rr_functions.lo sha1.lo sha2.lo str2host.lo
tsig.lo update.lo util.lo wire2host.lo zone.lo compat/b64_pton.lo
compat/b64_ntop.lo compat/b32_pton.lo compat/b32_ntop.lo
compat/timegm.lo -rpath /opt/unbound/lib
Undefined first referenced
symbol in file
X509_check_ca .libs/dane.o
ld: fatal: symbol referencing errors. No output written to
.libs/libldns.so.1.6.16
gmake: *** [libldns.la] Error 2
So, again, any help, some ifdef missing ?
IN dane.c, I can see two calls to X509_check_ca,
281 /* Pop n+1 certs and return the last popped.
282 */
283 static ldns_status
284 ldns_dane_get_nth_cert_from_validation_chain(
285 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
286 {
287 if (n >= sk_X509_num(chain) || n < 0) {
288 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
289 }
290 *cert = sk_X509_pop(chain);
291 while (n-- > 0) {
292 X509_free(*cert);
293 *cert = sk_X509_pop(chain);
294 }
295 if (ca && ! X509_check_ca(*cert)) {
296 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
297 }
298 return LDNS_STATUS_OK;
299 }
And:
555 /* Return whether any certificate from the chain with
selector/matching_type
556 * matches data.
557 * ca should be true if the certificate has to be a CA
certificate too.
558 */
559 static ldns_status
560 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
561 ldns_tlsa_selector selector,
562 ldns_tlsa_matching_type matching_type,
563 ldns_rdf* data, bool ca)
564 {
565 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
566 size_t n, i;
567 X509* cert;
568
569 n = (size_t)sk_X509_num(chain);
570 for (i = 0; i < n; i++) {
571 cert = sk_X509_pop(chain);
572 if (! cert) {
573 s = LDNS_STATUS_SSL_ERR;
574 break;
575 }
576 s = ldns_dane_match_cert_with_data(cert,
577 selector, matching_type, data);
578 if (ca && s == LDNS_STATUS_OK && !
X509_check_ca(cert)) {
579 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
580 }
581 X509_free(cert);
582 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
583 break;
584 }
585 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
586 * try to match the next certificate
587 */
588 }
589 return s;
590 }
591
Thank's.
On 12/17/12 08:23 PM, Simon-Bernard Drolet wrote:
> Hi Wouter,
>
> Thank's.
>
> This is compiling now, thank's.
>
> A simple ifdef !
>
>> Hi Simon-Bernard,
>>
>> On 12/15/2012 10:10 PM, Simon-Bernard Drolet wrote:
>>> Hi Dan,
>>>
>>> Thank's for the infos.
>>>
>>> But my goal here is to get unbound and drill to compile with the
>>> stock openssl from Solaris just like in previous version.
>>>
>>> And because there is still a configure option to compile without
>>> sha2, it should work...
>>>
>>> So there is an issue with some ifdefs...
>> Yes, they are fixed, below the patch for it if you want it. The patch
>> is also applied for the next release of ldns.
>>
>> Best regards,
>> Wouter
>>
>> Index: dane.c
>> ===================================================================
>> - --- dane.c (revision 3810)
>> +++ dane.c (working copy)
>> @@ -121,6 +121,7 @@
>> return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>> break;
>>
>> +#ifdef USE_SHA2
>> case LDNS_TLSA_MATCHING_TYPE_SHA256:
>>
>> digest = LDNS_XMALLOC(unsigned char, SHA256_DIGEST_LENGTH);
>> @@ -150,6 +151,7 @@
>>
>> return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
>> break;
>> +#endif /* USE_SHA2 */
>>
>> default:
>> LDNS_FREE(buf);
>>
>
>
> On 12/14/12 04:50 PM, Simon-Bernard Drolet wrote:
>> Hello,
>>
>> I'm trying to update my libevent, ldns and unbound package.
>>
>> I'm configuring the compile like this: (because of default ssl in
>> Solaris 10).
>>
>> # ./configure --disable-sha2 --disable-gost --disable-ecdsa
>>
>> While trying to compile ldns, I get this:
>>
>> # gmake
>> ./libtool --tag=CC --quiet --mode=compile gcc -I. -I. -DHAVE_CONFIG_H
>> -Wwrite-strings -W -Wall -O2 -g -std=c99 -D__EXTENSIONS__
>> -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
>> -D_ALL_SOURCE -I/usr/sfw/include -c ./dane.c -o dane.lo
>> ./dane.c: In function `ldns_dane_cert2rdf':
>> ./dane.c:122: error: `SHA256_DIGEST_LENGTH' undeclared (first use in
>> this function)
>> ./dane.c:122: error: (Each undeclared identifier is reported only once
>> ./dane.c:122: error: for each function it appears in.)
>> ./dane.c:137: error: `SHA512_DIGEST_LENGTH' undeclared (first use in
>> this function)
>> ./dane.c: In function `ldns_dane_get_nth_cert_from_validation_chain':
>> ./dane.c:293: warning: implicit declaration of function `X509_check_ca'
>> gmake: *** [dane.lo] Error 1
>>
>>
>> Any pointers ?
>>
>> It was ok in 1.6.13... But I get the same error with 1.6.14, 1.6.15
>> and 1.6.16... With the dane.c file...
>>
>
>
--
Simon-Bernard Drolet, SPecialiste X Inc., 514.247.6741
Simon.Bernard.Drolet<at>gmail(dot)com, Senior Solaris Contractor, Canada
More information about the Unbound-users
mailing list